Creaking protocols are threat to EU's telecom infrastructure security

Y'all better bake in safeguards before 5G rollout, says ENISA

Legacy technologies pose a threat to the European Union's telecommunications infrastructure, a study by cybersecurity agency ENISA warns.

2G/ 3G mobile networks worldwide still depend on SS7 and Diameter for controlling communications (routing voice calls and data) as well as sets of protocols designed "decades ago without giving adequate effect to modern day security implications", ENISA (the European Union Agency for Network and Information Security) said.

A full range of new services (e.g. cloud, financial etc.) is being developed or relies on telecoms infrastructures for their delivery.

Some security measures have been rolled out by more mature providers, but these only assure a basic level of protection. More needs to be done in order to achieve an adequate level across the EU, according to ENISA.

Although the current 4G mobile telecommunication generation uses a slightly improved signalling protocol, Diameter, this is still potentially vulnerable.

"The industry is still trying to understand exactly what the implications are and to identify possible workarounds," the study warned. "It is highly probable that in the near future we will see real attacks as well as suitable solutions becoming available."

The new 5G mobile generation is still under development. Early releases from some vendors are already available but the standards are still in their infancy. ENISA warns of a risk of history repeating.

"Given the improvements that 5G will bring – such as more subscribers, increased bandwidth etc – having the same security risks can be extremely dangerous," it concluded.

The report makes several recommendations to stakeholders: the EU Commission should consider the adoption of baseline security requirements for electronic communications providers that include signalling security. And national regulators should consider whether telecom signalling issues should be incorporated into incident reporting regimes.

Telecom providers should "implement the necessary measures to ensure an adequate level of security and integrity of telecommunication networks," ENISA added. The agency also urged standardisation bodies to ensure that signalling security is properly covered within the new 5G standards.

The recommendations were put together by a panel of experts including representatives from most of the member states' national regulators. EU mobile network operators were consulted during the study. Trade body the GSMA assisted by both supplying specific documentation and promoting the study among its stakeholders. ®